Declares the scope of the cookies, and controls if they should be restricted to a first-party or same-site context.
Lax | Cookies are sent with same-site requests, and with cross-site top-level navigations. |
None | Cookies are sent with same-site and cross-site requests. It requires a secure context/HTTPS. |
Strict | Cookies are sent along with same-site requests. |
Do not specify | Cookies are sent with same-site and cross-site requests. |
Generators: Java, .NET, .NET Core
Level: Environment
For new Knowledge Bases the default value for the property is "Lax," while for existing KBs created with a version prior to GeneXus 17 upgrade 3 it is "Do not specify."
This property is used as a countermeasure to mitigate CSRF attacks. For more information regarding security on this attribute, please read the OWASP recommendations.
The browser's behavior on this matter was defined by the IETF in the document Incrementally Better Cookies, and it has been implemented on Chromium Browser since version 85; other browsers will follow.
In summary, there are 3 possible values for this cookie attribute:
- Lax: The cookie will be attached to the browser's responses for requests from same-site or cross-site requests on the top-level navigation. This is also the default value browsers will apply if the Secure attribute is set to True and the SameSite value is not specified, which means that applications containing or using iFrames will not work unless the SameSite attribute is set to None.
- Strict: The cookie will not be sent on any cross-site request; it will be sent only for same-site requests. This is the safer and more restrictive configuration.
- None: The cookie will always be sent when the Secure attribute is set to True. If the Secure attribute is set to False (in developing environments using HTTP, for example) the cookie will never be sent.
The Do not specify value was implemented because of backward compatibility reasons. It can be changed on deployment using infrastructure or web server configuration options. The same applies to the Secure attribute.
This configuration will apply to all cookies, including those generated using the Cookie data type.
Values different than 'Do not specify' are only supported in .NET Framework 4.7.2 or higher
Because the 2016 and 2019 draft specifications are not compatible, the November 2019 .Net Framework update introduces some changes that may be breaking. Session State and Forms Authentication cookies are now written to the network as Lax instead of unspecified. As a consequence, 'Unspecified' is only available to httpCookies at the moment. That means all cookies except the ASPNet Cookie (ASP.Net_SessionId).
For more information, please visit this link.
This property applies only at design-time.
For example, requests for https://example.com/sekrit-image will attach same-site cookies if and only if initiated from a context whose 'site for cookies' is example.com.
To apply the corresponding changes when the property value is configured, execute Build any object with the purpose of generating the *.config files. |
This property is available since GeneXus 17 upgrade 3.